KYLIN-2696 Check SQL injection in filter condition
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/2546e00c Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/2546e00c Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/2546e00c Branch: refs/heads/KYLIN-2606 Commit: 2546e00cf2f80b0f8abba9ec3cfe9a0fbce5cb4f Parents: e7f9dab Author: Xiaqing <454530...@qq.com> Authored: Fri Jun 30 09:42:07 2017 +0800 Committer: liyang-gmt8 <liy...@apache.org> Committed: Fri Jun 30 09:42:07 2017 +0800 ---------------------------------------------------------------------- .../kylin/metadata/model/DataModelDesc.java | 43 ++++++++++++++++++++ 1 file changed, 43 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kylin/blob/2546e00c/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java ---------------------------------------------------------------------- diff --git a/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java b/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java index 91802f7..341f36e 100644 --- a/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java +++ b/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java @@ -352,6 +352,7 @@ public class DataModelDesc extends RootPersistentEntity { initDimensionsAndMetrics(); initPartitionDesc(); initComputedColumns(ccInfoMap); + initFilterCondition(); boolean reinit = validate(); if (reinit) { // model slightly changed by validate() and must init() again @@ -505,6 +506,48 @@ public class DataModelDesc extends RootPersistentEntity { } } + //Check if the filter condition is illegal. + private void initFilterCondition() { + if (null == this.filterCondition) { + return; + } + int quotationType = 0; + int len = this.filterCondition.length(); + for (int i = 0; i < len; i++) { + //If a ';' which is not within a string is found, throw exception. + if (';' == this.filterCondition.charAt(i) && 0 == quotationType) { + throw new IllegalStateException( + "Filter Condition is Illegal. Please check it and make sure it's an appropriate expression for WHERE clause"); + } + if ('\'' == this.filterCondition.charAt(i)) { + if (quotationType > 0) { + if (1 == quotationType) { + quotationType = 0; + continue; + } + } else { + if (0 == quotationType) { + quotationType = 1; + continue; + } + } + } + if ('"' == this.filterCondition.charAt(i)) { + if (quotationType > 0) { + if (2 == quotationType) { + quotationType = 0; + continue; + } + } else { + if (0 == quotationType) { + quotationType = 2; + continue; + } + } + } + } + } + private void checkSameCCDefinition(Map<String, CCInfo> ccInfoMap, ComputedColumnDesc thisCCDesc, String thisCCName) { //check whether two computer columns's definition is the same.
